ARE YOU READY FOR WINDOWS 10? Presented by:
Todd Parkin & Chris Owens @kraftkennedy www.kraftkennedy.com/blog
#ILTACON #ILTA172
www.linkedin.com/company/kraft-kennedy New York | Washington DC | Texas | California
27+ Years of Experience Long Standing Commitment to Legal ILTA Platinum Sponsor/ALA Sponsor Experienced, Highly Trained & Certified Consultants
Premier Technology Partner
80 Exchange 2010/2013 Projects, 80,000+ Seats 100 Windows 7/8.1 & Office 2010/2013 Projects, 90,000+ Seats Data Center Migration Strategy and Implementation Projects Disaster Recovery/Business Continuity Planning Technology Assessments Project Management Legal Process Management Security Assessments, Digital Forensics and eDiscovery
Information Security & Governance
Enterprise Client Systems
Support Practice Group
Legal Process Managemen t
Areas of Practice Infrastructure Enterprise Systems Management Consulting
Project Management
Our Partners
Agenda
What’s new for Windows 10 in the Enterprise?
How do you I get there from here? Lessons learned from first adopters
for Enterprise
Be more
Innovative devices for your business productive
Protection against modern security threats
Managed for continuous innovation
MICROSOFT’S WINDOWS 10 VISION
One converged Windows platform
NEW CHALLENGES REQUIRE A NEW PLATFORM Identity protection
Data protection
Threat resistance
Device security
Windows 10 Security Approach
Identity Protection
Information Protection
Device Protection
Identity Protection
Microsoft Passport Windows Hello Hyper-V “Virtual Secure Mode (VSM)”
Identity Protection
TYPICAL MULTI-FACTOR AUTHENTICATION IMPLEMENTATIONS High-value assets
LIMITED USE OF MFA CREATES WEAK LINKS
Most network resources
UN/Password
User
Device-based multi-factor USER CREDENTIAL
Your device is one of the factors
An asymmetrical key pair Provisioned via PKI or created locally via Windows 10
Secured by hardware
Identity Protection
User proves identity
MICROSOFT PASSPORT A new approach
“Trust my unique key” IDP Active Directory Azure AD Google Facebook Microsoft Account Intranet resources
“We trust tokens from IDP"
Windows10
“Here is your authentication token”
Identity Protection
Two ways to access your Passport PIN
Simplest implementation option Works on existing devices User familiarity
Biometrics
Enables multi-factor Ease of use Impossible to forget
Identity Protection
Hello Chris WINDOWS HELLO
Fingerprint
Iris
Facial
FIDO ALLIANCE Board level members
DEMO Microsoft Passport and Windows Hello
Information Protection
DATA LEAKAGE
87%
58%
…of senior managers admit to regularly uploading work files to a personal email or cloud account1
Have accidentally sent sensitive information to the wrong person1
1Stroz
Friedberg, “On The Pulse: Information Security In American Business,” 2013 Secure Now, “A look at the cost of healthcare data breaches,” Art Gross, March 30, 2012
2HIPPA
$240 PER RECORD
Average per record cost of a data breach across all industries2
INFORMATION PROTECTION NEEDS
DEVICE PROTECTION BitLocker Protect system and enhancements in data when device is Windows 8.1 lost or stolen InstantGo 3rd party adoption
DATA SEPARATION
LEAK PROTECTION
SHARING PROTECTION
Containment
Prevent unauthorized apps from accessing data
Protect data when shared with others, or shared outside of organizational devices and control
BYOD separation
Device Encryption is automatic encryption powered by BitLocker
DATA-AT-REST PROTECTION Device Encryption and BitLocker
BitLocker is provisioned by IT and includes management capability Easiest deployment, leading security, reliability, and performance Single sign-on for modern devices and configurable on legacy hardware Enterprise grade management (MBAM) and compliance (FIPS) TPM to standard equipment on all Windows devices in 2015
INFORMATION PROTECTION NEEDS
DEVICE PROTECTION BitLocker Protect system and enhancements in data when device is Windows 8.1 lost or stolen InstantGo 3rd party adoption
DATA SEPARATION Containment
BYOD separation
LEAK PROTECTION
SHARING PROTECTION
Protects data at rest, and wherever it rests or may roam to
INTRODUCING Enterprise Data Protection A DIFFERENT APPROACH
Seamless integration into the platform, No mode switching and use any app Corporate vs personal data identifiable wherever it rests on the device
INFORMATION PROTECTION NEEDS
DEVICE PROTECTION
DATA SEPARATION
LEAK PROTECTION
Containment
Prevent unauthorized apps from accessing data
BYOD separation
SHARING PROTECTION
Protects data at rest, and wherever it rests or may roam to
INTRODUCING Enterprise Data Protection A DIFFERENT APPROACH
Seamless integration into the platform, No mode switching and use any app
Corporate vs personal data identifiable wherever it rests on the device Prevents unauthorized apps from accessing business data Copy and paste protection and remote wipe data on demand Common experience across all Windows devices with cross platform support
INFORMATION PROTECTION NEEDS
DEVICE PROTECTION
DATA SEPARATION
LEAK PROTECTION
SHARING PROTECTION
Prevent unauthorized apps from accessing data
Protect data when shared with others, or shared outside of organizational devices and control
SHARING PROTECTION Rights Management Services
Protect all file types, everywhere they go, cloud, email, BYOD, … Support for all commonly used devices and systems – Windows, OSX, iOS, Android Can be automatically applied to mail, OneDrive Pro, etc.
Adding persistent and nonremovable protection to data
Significant improvements over Windows 7
Support for B2B and B2B via Azure AD Support for on premise and cloud based scenarios (e.g.: Office 365) Seamless easy to provision and support for FIPS 140-2 regulation and compliance
DEMO Enterprise Data Protection
Securing the device
Secure Boot
Device Guard
Device Health
Windows Defender
Windows Update for Business
Device protection
TWO PATHS TO CHOOSE FROM Device Guard
Traditional Approach
A new approach for Windows desktop
The way things have always been
Requires change in process for apps
Requires additional software to manage
Offers incredible protection
Carries increased risk
Windows desktop can be configured to only run trusted apps, just like many mobile OS’s (e.g.: Windows Phone)
DEVICE GUARD Getting Apps into the Circle of Trust
Supports all apps including Universal and Desktop (Win32). Apps must be specially signed using the Microsoft signing service. No additional modification is required. Signing service will be made available to OEM’s, IHV, ISV’s, and Enterprises. Windows desktop can be configured to only run trusted apps, just like many mobile OS’s (e.g.: Windows Phone)
Windows Deployment
WINDOWS 10 WORKS WITH EXISTING MS INFRASTRUCTURE Product System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager
System Center Configuration Manager 2007 Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 Microsoft Deployment Toolkit 2013 Update 1
Supports Windows 10 Management
Supports Windows 10 Deployment
DEPLOYMENT CHOICES •
Wipe-and-Load
• • • • • •
Traditional process Capture data and settings Deploy (custom) OS image Inject drivers Install apps Restore data and settings
•
Still an option for all scenarios
In-Place
Provisioning
Let Windows do the work • Preserve all data, settings, apps, drivers • Install (standard) OS image • Restore everything
Configure new devices • Transform into an Enterprise device • Remove extra items, add organizational apps and config
Recommended for existing devices (Windows 7/8/8.1)
New capability for new devices
App, web and device compatibility
Managed for Continuous Innovation
SET UP NEW DEVICES RIGHT OUT OF THE BOX
Use off-the-shelf hardware
Retail or channel devices Configure with a single file
Apply a provisioning package
Email the file Simple workflow Device is ready for productive use
MANAGEMENT CHOICES Identity
Management
Updates
Infrastructure
Ownership
Active Directory
Group Policy
Windows Update
On-premises
Corporate-owned
Azure Active Directory
System Center Configuration Manager
Windows Update for Business
In the cloud
CYOD
3rd party PC management
Windows Server Update Services (WSUS)
Intune 3rd party MDM
BYOD
Intune 3rd party MDM
Organizations may mix and match, depending on their specific scenario
Managed for Continuous Innovation
PREPARING IMAGING PROCESSES FOR WINDOWS 10
Market Driven Quality: External and Internal Users
Engineering Builds
10’s of thousands
Broad Microsoft Internal Validation
Several Million
Windows Insider Preview Branch
Hundreds of millions
Over 1 billion Windows users
Current Branch
Current Branch for Business
Contoso Internal Ring 1
Contoso Internal Ring 2
Contoso Internal Ring 3
Contoso Internal Ring 4
Time
Device protection
WINDOWS MANAGEMENT Server Software Windows Server
Windows Client
Active Directory Group Policy Windows Server Update Services (WSUS)
Windows Management Instrumentation (WMI) Windows Remote Management (WinRM) Windows Update Group Policy Client Mobile Device Management (MDM) Agent PowerShell AppLocker
Cloud Services
Azure Active Directory Azure RMS Microsoft Intune Windows Store
System Center Configuration Manager Microsoft Desktop Optimization Pack (MDOP)
EXTENDING WITH WINDOWS 10 – HEAT MAP Deployment
Management
Security
Identity
Provisioning
CM vNext MDM
Virtualization-based security Device Guard Enterprise Data Protection
Microsoft Passport Windows Hello
New Windows ADK WICD MDM service
New feature management and configuration
Secure Boot Trusted Boot
Azure AD Azure AD Connect PKI Schema/DCs
Device UEFI 2.3.1 or later TPM 1.2 or later Virtualization Extensions Biometric Reader
Internet Browsing
HTML4, ES3, CSS2
Modern Web
CSS2.1 HTML5, SVG, ES5/6, CSS3
HTML4, ES3, CSS2
1995
2015 1 2
3
4
4.x
5
5.5
6
7
8
9
10
11
MICROSOFT EDGE IS… • Built for Windows 10 • Built on the Universal Windows Platform • Updated frequently, along with Windows 10 • Manageable through Group Policy, Mobile Device Management
• Ready for the future • Free from legacy Internet Explorer extensibility points • Built on top of modern security protections • Able to launch Internet Explorer 11 when needed
DEMO • Start Menu • Notifications • Cortana • Questions • Reminders • Taskview • Edge Browser
Getting to Windows 10 Windows 8.1 (x64) / Office 2013 • • • •
Tweak existing deployment process Minimal application updates required Drivers must be updated In-place upgrade worth testing
Windows 7 (x64) / Office 2013 • • • •
Tweak existing deployment process Minimal application updates required Drivers must be updated In-place upgrade worth testing
Windows 7 or 8.1 (x86) / Office 2013 • Full images will need to be rebuilt • Many applications will require changes • Drivers must be completely regenerated
Windows 7 / Office 2010 or 2007 • Full images will need to be rebuilt • All applications will require changes • Significant work required to certify all changes
Lessons Learned Application Updates Group Policy review Driver Updates Waiting for Microsoft tools Microsoft Deployment Toolkit ADMX SCCM Support ADK RSAT
Lessons Learned – Part 2 In-place upgrade option Remote imaging process DirectAccess benefits Default user settings
Enterprise or Professional? Professional Windows Hello & Passport
Enterprise Data Protection DeviceGuard Cortana Edge browser Bitlocker DirectAccess Current Branch for Business
Enterprise
CONTACT INFORMATION Todd Parkin, Practice Manager
[email protected] 212-692-5655 Chris Owens, Practice Leader
[email protected] 713-221-5311 Thank you for coming!